AOO410/main/sal/systools/win32/uwinapi/GetProcessId.cpp - openoffice - Git at Google

 /**************************************************************
  *
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *   http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied.  See the License for the
  * specific language governing permissions and limitations
  * under the License.
  *
  *************************************************************/


 #include "macros.h"
 #include "win95sys.h"
 #include <tlhelp32.h>
 static FARPROC WINAPI GetRealProcAddress( HMODULE hModule, LPCSTR lpProcName )
 {
     FARPROC	lpfn = GetProcAddress( hModule, lpProcName );

 	if ( lpfn )
 	{
 		if ( 0x68 == *(LPBYTE)lpfn )
 		{
 			/*
 			82C9F460 68 36 49 F8 BF       push        0BFF84936h
 			82C9F465 E9 41 62 2F 3D       jmp         BFF956AB
 			*/

 			lpfn = (FARPROC)*(LPDWORD)((LPBYTE)lpfn + 1);

 			/*
 			BFF956AB 9C                   pushfd
 			BFF956AC FC                   cld
 			BFF956AD 50                   push        eax
 			BFF956AE 53                   push        ebx
 			BFF956AF 52                   push        edx
 			BFF956B0 64 8B 15 20 00 00 00 mov         edx,dword ptr fs:[20h]
 			BFF956B7 0B D2                or          edx,edx
 			BFF956B9 74 09                je          BFF956C4
 			BFF956BB 8B 42 04             mov         eax,dword ptr [edx+4]
 			BFF956BE 0B C0                or          eax,eax
 			BFF956C0 74 07                je          BFF956C9
 			BFF956C2 EB 42                jmp         BFF95706
 			BFF956C4 5A                   pop         edx
 			BFF956C5 5B                   pop         ebx
 			BFF956C6 58                   pop         eax
 			BFF956C7 9D                   popfd
 			BFF956C8 C3                   ret
 			*/
 		}
 	}

     return lpfn;
 }


 typedef DWORD (WINAPI OBFUSCATE)( DWORD dwPTID );
 typedef OBFUSCATE *LPOBFUSCATE;

 static DWORD WINAPI Obfuscate( DWORD dwPTID )
 {
     static LPOBFUSCATE lpfnObfuscate = NULL;

 	if ( !lpfnObfuscate )
 	{
 		LPBYTE lpCode = (LPBYTE)GetRealProcAddress( GetModuleHandleA("KERNEL32"), "GetCurrentThreadId" );

 		if ( lpCode )
 		{
 			/*
 			GetCurrentThreadId:
 			lpCode + 00 BFF84936 A1 DC 9C FC BF       mov         eax,[BFFC9CDC]	; This is the real thread id
 			lpcode + 05 BFF8493B FF 30                push        dword ptr [eax]
 			lpCode + 07 BFF8493D E8 17 C5 FF FF       call        BFF80E59			; call Obfuscate function
 			lpcode + 0C BFF84942 C3                   ret
 			*/

 			DWORD	dwOffset = *(LPDWORD)(lpCode + 0x08);

 			lpfnObfuscate = (LPOBFUSCATE)(lpCode + 0x0C + dwOffset);
 			/*
 			Obfuscate:
 			BFF80E59 A1 CC 98 FC BF       mov         eax,[BFFC98CC]
 			BFF80E5E 85 C0                test        eax,eax
 			BFF80E60 75 04                jne         BFF80E66
 			BFF80E62 33 C0                xor         eax,eax
 			BFF80E64 EB 04                jmp         BFF80E6A
 			BFF80E66 33 44 24 04          xor         eax,dword ptr [esp+4]
 			BFF80E6A C2 04 00             ret         4
 			*/
 		}

 	}

 	return lpfnObfuscate ? lpfnObfuscate( dwPTID ) : 0;
 }


 EXTERN_C DWORD WINAPI GetProcessId_WINDOWS( HANDLE hProcess )
 {
 	if ( GetCurrentProcess() == hProcess )
 		return GetCurrentProcessId();

 	DWORD	dwProcessId = 0;
 	PPROCESS_DATABASE	pPDB = (PPROCESS_DATABASE)Obfuscate( GetCurrentProcessId() );

 	if ( pPDB && K32OBJ_PROCESS == pPDB->Type )
 	{
 		DWORD	dwHandleNumber = (DWORD)hProcess >> 2;

 		if ( 0 == ((DWORD)hProcess & 0x03) && dwHandleNumber < pPDB->pHandleTable->cEntries )
 		{
 			if (
 				pPDB->pHandleTable->array[dwHandleNumber].pObject &&
 				K32OBJ_PROCESS == pPDB->pHandleTable->array[dwHandleNumber].pObject->Type
 				)
 			dwProcessId = Obfuscate( (DWORD)pPDB->pHandleTable->array[dwHandleNumber].pObject );
 		}

 		SetLastError( ERROR_INVALID_HANDLE );
 	}

 	return dwProcessId;
 }


 EXTERN_C DWORD WINAPI GetProcessId_NT( HANDLE hProcess )
 {
 	SetLastError( ERROR_CALL_NOT_IMPLEMENTED );
 	return 0;
 }


 EXTERN_C void WINAPI ResolveThunk_GetProcessId( FARPROC *lppfn, LPCSTR lpLibFileName, LPCSTR lpFuncName )
 {
 	if ( (LONG)GetVersion() < 0 )
 		*lppfn = (FARPROC)GetProcessId_WINDOWS;
 	else
 	{
 		FARPROC	lpfnResult = GetProcAddress( LoadLibraryA( lpLibFileName ), lpFuncName );
 		if ( !lpfnResult )
 			lpfnResult = (FARPROC)GetProcessId_NT;

 		*lppfn = lpfnResult;
 	}
 }


 DEFINE_CUSTOM_THUNK( kernel32, GetProcessId, DWORD, WINAPI, GetProcessId, ( HANDLE hProcess ) );
	/**************************************************************
	*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*
	*************************************************************/



	#include "macros.h"
	#include "win95sys.h"
	#include <tlhelp32.h>
	static FARPROC WINAPI GetRealProcAddress( HMODULE hModule, LPCSTR lpProcName )
	{
	FARPROC lpfn = GetProcAddress( hModule, lpProcName );

	if ( lpfn )
	{
	if ( 0x68 == *(LPBYTE)lpfn )
	{
	/*
	82C9F460 68 36 49 F8 BF push 0BFF84936h
	82C9F465 E9 41 62 2F 3D jmp BFF956AB
	*/

	lpfn = (FARPROC)*(LPDWORD)((LPBYTE)lpfn + 1);

	/*
	BFF956AB 9C pushfd
	BFF956AC FC cld
	BFF956AD 50 push eax
	BFF956AE 53 push ebx
	BFF956AF 52 push edx
	BFF956B0 64 8B 15 20 00 00 00 mov edx,dword ptr fs:[20h]
	BFF956B7 0B D2 or edx,edx
	BFF956B9 74 09 je BFF956C4
	BFF956BB 8B 42 04 mov eax,dword ptr [edx+4]
	BFF956BE 0B C0 or eax,eax
	BFF956C0 74 07 je BFF956C9
	BFF956C2 EB 42 jmp BFF95706
	BFF956C4 5A pop edx
	BFF956C5 5B pop ebx
	BFF956C6 58 pop eax
	BFF956C7 9D popfd
	BFF956C8 C3 ret
	*/
	}
	}

	return lpfn;
	}


	typedef DWORD (WINAPI OBFUSCATE)( DWORD dwPTID );
	typedef OBFUSCATE *LPOBFUSCATE;

	static DWORD WINAPI Obfuscate( DWORD dwPTID )
	{
	static LPOBFUSCATE lpfnObfuscate = NULL;

	if ( !lpfnObfuscate )
	{
	LPBYTE lpCode = (LPBYTE)GetRealProcAddress( GetModuleHandleA("KERNEL32"), "GetCurrentThreadId" );

	if ( lpCode )
	{
	/*
	GetCurrentThreadId:
	lpCode + 00 BFF84936 A1 DC 9C FC BF mov eax,[BFFC9CDC] ; This is the real thread id
	lpcode + 05 BFF8493B FF 30 push dword ptr [eax]
	lpCode + 07 BFF8493D E8 17 C5 FF FF call BFF80E59 ; call Obfuscate function
	lpcode + 0C BFF84942 C3 ret
	*/

	DWORD dwOffset = *(LPDWORD)(lpCode + 0x08);

	lpfnObfuscate = (LPOBFUSCATE)(lpCode + 0x0C + dwOffset);
	/*
	Obfuscate:
	BFF80E59 A1 CC 98 FC BF mov eax,[BFFC98CC]
	BFF80E5E 85 C0 test eax,eax
	BFF80E60 75 04 jne BFF80E66
	BFF80E62 33 C0 xor eax,eax
	BFF80E64 EB 04 jmp BFF80E6A
	BFF80E66 33 44 24 04 xor eax,dword ptr [esp+4]
	BFF80E6A C2 04 00 ret 4
	*/
	}

	}

	return lpfnObfuscate ? lpfnObfuscate( dwPTID ) : 0;
	}


	EXTERN_C DWORD WINAPI GetProcessId_WINDOWS( HANDLE hProcess )
	{
	if ( GetCurrentProcess() == hProcess )
	return GetCurrentProcessId();

	DWORD dwProcessId = 0;
	PPROCESS_DATABASE pPDB = (PPROCESS_DATABASE)Obfuscate( GetCurrentProcessId() );

	if ( pPDB && K32OBJ_PROCESS == pPDB->Type )
	{
	DWORD dwHandleNumber = (DWORD)hProcess >> 2;

	if ( 0 == ((DWORD)hProcess & 0x03) && dwHandleNumber < pPDB->pHandleTable->cEntries )
	{
	if (
	pPDB->pHandleTable->array[dwHandleNumber].pObject &&
	K32OBJ_PROCESS == pPDB->pHandleTable->array[dwHandleNumber].pObject->Type
	)
	dwProcessId = Obfuscate( (DWORD)pPDB->pHandleTable->array[dwHandleNumber].pObject );
	}

	SetLastError( ERROR_INVALID_HANDLE );
	}

	return dwProcessId;
	}


	EXTERN_C DWORD WINAPI GetProcessId_NT( HANDLE hProcess )
	{
	SetLastError( ERROR_CALL_NOT_IMPLEMENTED );
	return 0;
	}


	EXTERN_C void WINAPI ResolveThunk_GetProcessId( FARPROC *lppfn, LPCSTR lpLibFileName, LPCSTR lpFuncName )
	{
	if ( (LONG)GetVersion() < 0 )
	*lppfn = (FARPROC)GetProcessId_WINDOWS;
	else
	{
	FARPROC lpfnResult = GetProcAddress( LoadLibraryA( lpLibFileName ), lpFuncName );
	if ( !lpfnResult )
	lpfnResult = (FARPROC)GetProcessId_NT;

	*lppfn = lpfnResult;
	}
	}


	DEFINE_CUSTOM_THUNK( kernel32, GetProcessId, DWORD, WINAPI, GetProcessId, ( HANDLE hProcess ) );